Security experts and analysts tell Information Security Media Group that although many private-sector industries responded to the attack well, public-sector organizations haven't fared as well because of insufficient security practices. (see: Is WannaCry the First Nation-State Ransomware?).

The frenzied response to the threat indicates that many organizations are neglecting basic security practices, such as patching, and failing to take advisories seriously despite growing awareness. "The security culture is to blame," says Sahir Hidayatullah, co-founder and CEO at Mumbai-based Smokescreen Technologies. "People are not being proactive, and the focus is on preventing what has already happened."

Reactive Security to Blame

While there is no official list of companies affected by WannaCry ransomware in India, media reports refer to multiple infections in the banking and the financial sector, a national stock exchange, research labs, fast-moving consumer goods companies, manufacturing companies, systems of the Maharashtra and Andhra Pradesh police, major IT companies and other infections in the states of Gujarat and Maharashtra.

Shomiron Das Gupta, founder of Mumbai-based security services firm Netmonastery, believes relatively few enterprises have been affected. "The home users, running unpatched, unlicensed system, are contributing to the spread of the malware," he says.

The WannaCry campaign highlights the reactive state of security in Indian enterprises. Hidayatullah says that a day after the malware began spreading globally, many security leaders in India were unsure if they had patched vulnerable Windows systems, and so they had to scramble to get patching reports to determine their exposure to the threat. Because the attack hit over a weekend, many of the systems/endpoints were offline and could only be patched once they came onto the corporate network.

The Microsoft SMB patch - MS17-010 - for newer Windows systems was released in March and should have been widely deployed by now, Hidayatullah notes. "But very few were patched for this. Here is a flaw rated critical by Microsoft, and which is known to be easily weaponizable and used by APT groups and the NSA. If this is not incentive enough, at what point would you consider patching?"

He says the exploit, used by Smokescreen's red teams during pen-testing activities, is like a skeleton key for a vulnerable windows systems.

Why So Slow to Patch?

Indian enterprises have traditionally been slow to patch. Security teams and CISOs may want to patch immediately, but many business owners demand patches be thoroughly tested to avoid any potential business downtime - usually taking weeks of testing and compliance clearances, Hidayatullah says. As a result, some patches are never made.

Shree Parthsarathy, partner and national leader for cyber risk at Deloitte India, notes: "From the trends we see, there are organizations that take three to four months to roll out patches. This is because they aren't part of early beta programs and can only test the patches once they are publically released, which takes four to six weeks. Once tested, it takes months more to roll these out across the organization."

Deloitte's Shree Parthasarathy on India's Patching woes

Parthasarathy also contends that India has a big issue with unlicensed software being illegally used in enterprises, which prevents these systems from receiving security updates.

Some practitioners say many older systems, including SCADA and industrial control systems, medical devices and ATMs, run on older operating systems, including Windows XP, which Microsoft no longer supports without expensive extended support contracts.

"For some of our customers in these industries using XP, there wasn't even a patch available when the attacks started spreading. Fortunately Microsoft rolled out an emergency XP patch for this vulnerability, so now it can be fixed," Hidayatullah says (see: WannaCry Outbreak: Microsoft Issues Emergency XP Patch).

Another challenge is the use of custom third-party business applications, including core banking systems and ERP systems, that have specific legacy OS requirements. The third party may even own the app, preventing organizations from intervening.

Life After WannaCry

The unpatched Windows SMB vulnerability may have been exploited in other ways beyond WannaCry.

A proactive security posture focusing on detection and response is needed to address the newer threats, Hidayatullah says. "Or else, be prepared to continue to play high-stakes security whack-a-mole with every attack."

About the Author

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;